I write frequently about things I struggle with in learning computer science. I thought today I’d switch it up a bit and talk about something I recently learned: many people find the idea of cyber security governance boring.
I know I’m not the best at reading people, but this came as a surprise. Why is that? Well….governance is really just a fancy way of saying ‘we’ve written down the things we do and how we expect people to do them’.
Why would you do that?
Well….people want to know what they can expect from your organization. (I mean, I suppose you could write some governance for you personally but typically you see written governance at the organization level.) That governance is viewed as boring should not come as such a shock I suppose. I experienced similar beliefs in the 20 years I worked in quality assurance and oversight. People view governance as a stack of paper they put together for the auditors. This audit angle is merely a by-product.
So……..
What’s in ‘good security governance’ for you?
- Your customers know what they can expect from you.
- Your employees know what they are expected to do.
- You can trace your results – good or bad – to a particular cause.
What if you don’t currently have any security governance and you don’t know where to start? You have the two standard choices in business:
- Hire Someone
- Do it Yourself
When it comes to cybersecurity, I don’t recommend you try to do it all yourself. Why? Because it takes time to learn. Time you probably don’t have available to invest in doing it right the first time.